URl/Extension Block

Unanswered Question
Aug 26th, 2008

I have cisco 38xx series with ios 12.4(2)T6

I am trying to block specific extension and specific url so that users cant access/download.

I did the following configuration but only youtube is not working rest all downloading and url are working fine.

class-map match-any p2p

match protocol fasttrack file-transfer "*"

match protocol gnutella file-transfer "*"

match protocol bittorrent

class-map match-any youtube

match protocol http url "*youtube*"

match protocol http host "*youtube.com"

match protocol http url "*kh.google.com*"

match protocol http url "*pakiztan.tv*"

match protocol http url "*pakiztan*"

match access-group name webblock

match protocol http url "*.rar*"

match protocol http url "*.zip*"

match protocol http url "*.exe*"

match protocol http url "*www.pakisztan.tv*"

match protocol http url "*www.pakiztan.tv*"

match protocol http url "*.flv*"

match protocol http url "*.avi*"

match protocol http url "*.mpg*"

match protocol http url "*.mpeg*"

match protocol http url "*.mp33*"

match protocol http url ".exe*"

match protocol http url ".zip*"

match protocol http url ".flv*"

match protocol http url ".mpg*"

!

!

policy-map p2p

class p2p

drop

class youtube

drop

ip access-list extended webblock

deny udp any any eq 554

deny tcp any any eq 2979

deny udp any any eq 2979

deny tcp any any eq 1790

deny udp any any eq 1790

deny tcp any any eq 1755

deny udp any any eq 1755

deny tcp any any eq 1736

deny udp any any eq 1736

deny tcp any any eq 537

deny udp any any eq 537

deny tcp any any eq 554

interface GigabitEthernet0/1

ip nbar protocol-discovery

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

media-type rj45

negotiation auto

service-policy input p2p

Pleaes tell me how to block the users from downloading etc.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Marwan ALshawi Tue, 08/26/2008 - 06:56

ur config should be somthing like:

parameter-map type regex url1

pattern [\.yahoo\.com]

class-map type inspect http urlclass1

match req-resp header regex url1

policy-map type inspect http policy1

class type inspect http urlclass1

reset

then apply the policy

above only example

u have more flexibality and i am not sure 100% from the regex pattren avove but should be like that to some extend

have a llok at the following link

search for regex ketword and see it config]

http://www.cisco.com/application/pdf/paws/98628/zone-design-guide.pdf

good luck

please, if helpful Rate

Actions

This Discussion